abnormalpenguin.com

Offical Mirrors

Message-ID: <ct199g$1j4$1@news.ngi.it>
From: Andreas Liebschner <fizban@slackware.com>
Newsgroups: alt.os.linux.slackware
Subject: Re: ftp.scarlet.be no longer mirroring?
Date: Sun, 23 Jan 2005 23:46:20 +0100
References: <csunid$bki$1@skeeter.ucdavis.edu> <b0p5v01ubb783d04m0kmk4cjl7ph51scmo@4ax.com>
Lines: 37
Organization: NGI SpA - www.ngi.it
NNTP-Posting-Host: 81-174-11-144.f5.ngi.it
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: news.ngi.it 1106520176 1636 81.174.11.144 (23 Jan 2005 22:42:56 GMT)
X-Complaints-To: abuse@ngi.it
NNTP-Posting-Date: Sun, 23 Jan 2005 22:42:56 +0000 (UTC)
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
X-Accept-Language: en-us, en
In-Reply-To: <b0p5v01ubb783d04m0kmk4cjl7ph51scmo@4ax.com>
X-Enigmail-Version: 0.89.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime

Mark Post wrote:

> It's probably due to the same problem that I've been seeing with always
> getting:
> opening tcp connection to ftp.slackware.com port 873
> @ERROR: max connections (25) reached - try again later
> rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
> rsync error: error in rsync protocol data stream (code 12) at io.c(359)
>
>
> That's been going on for some time now. It's almost like someone is running
> a DOS attack against the server. With a max of 25 connections, that
> wouldn't be too hard.

Hi Mark, :-)

We will be pointing ftp.slackware.com to some other place (we meant to
do it some time ago, but with Pat's personal issues it just went low on
priority) as soon as possible, and in the mean time we already have
another place where Pat pushes updates to

I'm not going to write it on this newsgroup because then everyone would
start using it, and we'd be forced to login/pass restrict it for mirrors
only.

Anyway, if you or any mirror admin (just those listed on /getslack) is
having problems rsyncing from ftp.slackware.com, drop me an email at
mirrors@ or fizban@ and I'll point you out to the right direction - as
far as I know, ftp.scarlet.be should be aware of that server already,
but I might be wrong.

Also, to the users: if you notice a server "not so up to date", please
drop the server admin an email, and tell him/her to get in touch with
me. For me it's impossible to go mirror by mirror and check.. so your
help would be appreciated :-)

Andreas

October 11th 2004 Updates

patches/packages/rsync-2.6.3-i486-1.tgz:
Upgraded to rsync-2.6.3. From the rsync NEWS file:

A bug in the sanitize_path routine (which affects a non-chrooted rsync daemon) could allow a user to craft a pathname that would get transformed into an absolute path for certain options (but not for file-transfer names). If you're running an rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if the user privs you run rsync under is anything above "nobody".

Note that rsync, in daemon mode, sets the "use chroot" to true by default, and (in this default mode) is not vulnerable to this issue. I would strongly recommend against setting "use chroot" to false even if you've upgraded to this new package.
(* Security fix *)

October 4th 2004 Updates

patches/packages/getmail-4.2.0-noarch-1.tgz:
Upgraded to getmail-4.2.0. Earlier versions contained a local security flaw when used in an insecure fashion (surprise, running something as root that writes to user-controlled files or directories could allow the old symlink attack to clobber system files! :-)
From the getmail CHANGELOG:

This vulnerability is not exploitable if the administrator does not deliver mail to the maildirs/mbox files of untrusted local users, or if getmail is configured to use an external unprivileged MDA. This vulnerability is not remotely exploitable.

Most users would not use getmail in such as way as to be vulnerable to this flaw, but if your site does this package closes the hole. I'd also recommend not using getmail like this. Either run it as the user that owns the target mailbox, or deliver through an external MDA.
(* Security fix *)

patches/packages/zlib-1.2.2-i486-1.tgz:
Upgraded to zlib-1.2.2. This fixes a possible DoS in earlier versions of zlib-1.2.x.
(* Security fix *)

September 19th 2004 Updates

patches/packages/cups-1.1.21-i486-1.tgz:
Upgraded to cups-1.1.21. This fixes a flaw where a remote attacker can crash the CUPS server causing a denial of service. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558
(* Security fix *)

patches/packages/gtk+2-2.4.10-i486-1.tgz:
Upgraded to gtk+-2.4.10. This fixes security issues in the image loader routines that can crash applications.
(* Security fix *)

patches/packages/mozilla-1.7.3-i486-1.tgz:
Upgraded to mozilla-1.7.3. The Mozilla page says this fixes some "minor security holes". It also breaks Galeon and Epiphany, and new versions of these have still not appeared. In light of this, I think it's time to remove these Gecko-based browsers. The future is going to be Firefox and Thunderbird anyway, and I don't believe Galeon and Epiphany can be compiled against Firefox's libraries.
(* Security fix *)

patches/packages/mozilla-plugins-1.7.3-noarch-1.tgz:
Changed plugin symlinks for Mozilla 1.7.3.

patches/packages/xine-lib-1rc6a-i686-1.tgz:
Upgraded to xine-lib-1-rc6a. This release fixes a few overflows that could have security implications.
(* Security fix *)

September 13th 2004 Updates

patches/packages/samba-3.0.5-i486-3.tgz:
Patched two Denial of Service vulnerabilities in samba-3.0.5. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808
(* Security fix *)

September 10th 2004 Updates

patches/packages/proftpd-1.2.10-i486-1.tgz:
Upgraded to proftpd-1.2.10.

September 3rd 2004 Updates

patches/packages/glibc-2.3.2-i486-7.tgz:
Recompiled using 'strip -g' rather than 'strip --strip-unneeded' to avoid stripping symbols that are needed for debugging threads. Thanks to those who reported this bug, especially Ricardo Nabinger Sanchez who sent in a sample thread program that made it easy to test for the problem (and confirm the fix worked).

patches/packages/glibc-solibs-2.3.2-i486-7.tgz:
Recompiled using 'strip -g'.

patches/packages/kdebase-3.2.3-i486-2.tgz:
Patched frame injection vulnerability in Konqueror. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721
(* Security fix *)

patches/packages/kdelibs-3.2.3-i486-2.tgz:
Patched unsafe temporary directory usage, cross-domain cookie injection vulnerability for certain country specific domains, and frame injection vulnerability in Konqueror. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746
(* Security fix *)

October 11th 2004 Updates

patches/packages/rsync-2.6.3-i386-1.tgz:
Upgraded to rsync-2.6.3. From the rsync NEWS file:

A bug in the sanitize_path routine (which affects a non-chrooted rsync daemon) could allow a user to craft a pathname that would get transformed into an absolute path for certain options (but not for file-transfer names). If you're running an rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if the user privs you run rsync under is anything above "nobody".

Note that rsync, in daemon mode, sets the "use chroot" to true by default, and (in this default mode) is not vulnerable to this issue. I would strongly recommend against setting "use chroot" to false even if you've upgraded to this new package.
(* Security fix *)

August 7th 2004 Updates

patches/packages/libpng-1.2.5-i486-1.tgz:
Upgraded to libpng-1.2.5 and patched possible security issues including buffer and integer overflows and null pointer references. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
(* Security fix *)

patches/packages/sox-12.17.4-i386-3.tgz:
Patched buffer overflows that could allow a malicious WAV file to execute arbitrary code.
(* Security fix *)

July 25th 2004 Updates

patches/packages/mod_ssl-2.8.19_1.3.31-i386-1.tgz:
Upgraded to mod_ssl-2.8.19-1.3.31. This fixes a security hole (ssl_log() related format string vulnerability in mod_proxy hook functions), so sites using mod_ssl should upgrade to the new version. Be sure to back up your existing key files first.
(* Security fix *)

patches/packages/samba-2.2.10-i386-1.tgz:
Upgraded to samba-2.2.10. A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Affected Samba 2.2 installations can avoid this possible security bug by using the hash2 mangling method. Server installations requiring the hash mangling method are encouraged to upgrade to Samba v2.2.10 or v3.0.5.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686
(* Security fix *)